The basic idea of Trusted Computing is that security on a computer is obtained via hardware, through a specific chip dedicated exclusively to this task and called Trusted Platform Module (TPM). It's a very controversial project, as I wrote four years ago. Originally sold as a beneficial security system for users (which is partially true), trusted Computing and Palladium risk to open the doors to inviolable copy-protection systems and to censorship and surveillance issues to unprecedented levels.

The Electronic Frontier Foundation raises a fundamental doubt that is valid for all hardware-based security solutions: if security is managed by a chip, it is necessary to make sure that the chip does not contain implementation errors, or still worse, undocumented access channels. Because if they really exist, they are not removable: the chip is wired to the motherboard. If security is managed by software, I can change the software whenever I like, and if I use open source software in order to guarantee my security, I can check (or have others do it) that it works as it is supposed to do, without errors nor traps.

As far as I know (and IBM's refutation is too vague to be categorical), a computer equipped with a TPM chip is a computer that can refuse to obey to his owner's commands and that can also decide by itself to execute only the software apps and the operating systems approved by its computer's manufacturer. Bad stuff.

There are many PCs that already integrate this technology, even if no operating system presently uses the TPM chip for disputable goals.

Until now the TPM chip has been used only to cypher user's data and some other things, and evenWindows Vista will not implement it in an extensive way. Linux offers the use of the TPM chip as an option.

It's simple: it is not clear whether the newMacs with the Intel chip inside that are now on sale do have a TPM chip installed in them or not. And I am not likely to buy a Mac (indeed, I would not even buy a toaster) if it contains a spy chip whose operations I cannot control.

Such privacy and security distortion are the absolute negation of the term "personal computer".

The computer is mine!: it is not a shared condominium with uncle Bill, Hollywood people driving in limousines and the music market bosses.

But there is an important precedent: when Apple announced the migration from PowerPc processors to Intel processors, it made some PCs with Intel processor and a custom-built version of Mac OS X, available only to the developers, long time before the serial Intel Macs were available to the public. These PCs for developers certainly had a TPM chip. At OSX86Project.org, there are pictures that show the TPM chip wired to the motherboard of these "custom-built" Macs. The TPM chip is an Infineon, like this one.

The function of the TPM chip in the developers' PCs was to avoid that the custom-built Mac OS X could be installed on non-Apple computers. That solution did not really work as expected, but this is another story. What really matters is to determine whether available production Macs available now in the stores have this contested chip or not.

"largely documented, both by several developers' websites and the descriptive cards of some Apple distributors"

but I could not find any of them. I have instead found quite a few sites that dissectMacBook Pro, Intel Mac Mini and iMac Core Duo, but there's no trace or mention of the TPM chip. Even the official Apple's website is mute about the presence of TPM chips inside the new Intel Macs.

It is instead reasonably sure thatthe new Macs operating system searches the TPM chip. There are in facts parts of Mac OS X Intel that directly query the optional TPM chip. As mentioned before, its function, for now, seems to be to simply to avoid that Mac OS X could run on non-Apple computers, but nothing prevents the chip from being used in the future for other purposes. Given Apple's high stakes in the online music business (read iTunes), it would not be unreasonable to expect, for example, Steve Jobs' company to use the chip as a DRM management system (anti-copy), with all the consequences in terms of restrictions that would be imposed on individual users, and which would not be based upon constitutional law but by the whims of theRIAA and the MPAA.

But, there is anarticle written in German by Heise.de that seems to confirm the presence of the evil chip while providing also its exact location:

"The Japanese website Kodawarisan shows the images of a dismembered iMac with Core Duo processor, where it is shown that this Apple Computer contains an Infineon TPM chip. Certainly, the caption on the 28 pin IC close to the Intel Southbridge (82801GBM, also ICH7-M) is not well readable, but the Infineon logo is clearly recognizable."

I have taken a look at the pictures mentioned in the link provided by Heise.de (which I had already found via Google), but I see no trace of the TPM chip. It is also true that Heise.de has a very high reputation and as such it would never write that there's a "recognizable Infineon logo" without any reason. Perhaps some higher resolution images were previously available.

This is really critical information to understand whether it's still ok to buy and recommend Apple products or it is better to get your hands on some of the older PowerPc Macs before they disappear from the market.

UPDATE: March 30th 2006

Fab, one of the readers of my blog, thanks to the comments section on my original article, has contributed a picture that maybe shows the chip: I publish it here below. I think that it is not clear enough and it seems that the captions on the chip do not match with the original official ones of the Infineon chip (which you can see at the top of this article) nor with those of developers' Macs, but it is a possible precious hint.

I have also received the translation of the full article on Heise.de (thanks to r. pulito), in which I have left the most relevant links (I have also done some minor editing changes to further clarify some points).

"The first Intel Pentium-4 processor based systems, sold by Apple from the first half of 2005 as Developer Transition Kits (DTK) to developers who were members of the Apple Developer Connection (ADC) (and now exchanged with iMacs within the DTK Exchange Program), were equipped with a Trusted Platform Module (TPM) by Infineon, which was wired to the Intel motherboard.

The Japanese web page Kodawarisan displays some pictures of an iMac with a Dual Core processor. According to these pictures, this Apple computer still integrated an Infineon TPM chip. Unfortunately, the integrated 28 pin mark close to the Intel South Bridge (81801CBM, also ICH7-M) is not readable, though the Infineon logo is clearly recognizable and it should be the SLB 9635 TT 1.2, compatible with TCG-TPM-1.2.

It is pretty surprising that Apple does not state anything about the existence of this chip (component SLB 9635 TT 1.2) within the existing iMac documentation, which clashes with Apple own rigid criticism towards the TCPA/TCG initiative about "Trusted Computing". It is not yet clear whether the TPM chip is active by default and not deactivable, just like computer models available to the early developers mentioned above.

Also, it is not clear in which way this component should be used. Until now, its presence and main use were understood to be the one of a hardware-dongle, whose function was to prevent the installation of Mac OS X on computer motherboards lacking the TPM chip.

An perennially active TPM chip, that requires no explicit "Taking ownership" activation procedure would be, again, deeply incompatible with the guidelines of TCG's "Best Practices and Principles"; however, I must note that Apple is not a member of this group. Not only. The fact that TPM chips could be used to support the forced imposition of a Digital Rights Management system on end users is clearly mentioned in the TCG's FAQs.

Kodawarisan's pictures also undoubtedly reveal the use of the i945GM chipset and not of its variants i945PM or i945GT. It is not clear why Apple aims at a more expensive version of the chipsets while, in the same time, it installs a separate PCIe graphics chip.

This is not an April Fool's day hoax; yesterday I received the pictures of a iMac 1.83 monoprocessor's motherboard.

The images show a Infineon chip with the following code: SLB9635TT12 - G546K1V 00Za544257. This one could be the TPM chip: as it has been noted in the comments provide by my readers, the first line of the caption is like the one that was on the TPM Infineon chip installed on Intel Macs for developers.

I have also more detailed pictures of the motherboard: the complete image-set is accessible on Flickr. If anyone is capable to further identify the chip on the basis of these identification codes (Google does not reveal anything by searching for them), please post it in the comments.

Having ascertained beyond any reasonable doubt that there is a TPM chip in the new Macs, we now need to decide what to do:

Purchase a PowerPc Mac before it disappears from the market, knowing that at least two or three years will pass before the migration is completed and all the Mac software is available in Universal Binary?

Swallow the toad and hope that Apple only wants to use the TPM chip as an copy prevention system in order to block installation of Mac OSX on non-Apple computers?

Migrate to Linux - maybe a version specifically designed for Apple Intel computers in which there is no software that calls the TPM chip - and in which one can deactivate via BIOS or EFI the TPM chip?

Look for non-Apple PCs without a TPM chip and install Linux on it? And how do we know which PCs don't have separate TPM chips or (worse) TPM modules integrated in the processor?

First, you say that Media companies acknowledge that DRM does not work.

Next, you say that transcorporations need DRM.

So, yes, the solution IS to migrate to open systems such as Linux. Just to keep such fucks as Tom in their own bay. ALONE.

2007-01-22 15:28:40

Tom Bowers

What I find most disturbing about this article is how myopic it is. I have been following the TPM since its inception and even broke IBM's early version wide open (>5 years ago) while employed with a large F100 company. I frankly don't care about the entertainment industry as they are already learning that DRM doesn't work in the marketplace. However large enterprises are another story entirely. F1000 companies that are outsourcing or creating strategic alliances NEED TPM to protect the intellectual property they've created. Additionally TPM helps to minimize privacy data breaches. TPM is NOT the wonder drug but a powerful anti-piracy device nonetheless. Oh and BTW if you buy a computer with a TPM chip the software is free from the PC manufacturer, you simply need to load and configure.